MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6
SHA3-384 hash: 4ebf8e8305df3affae103dc94117ca2daeb98ed2eb68e247914d6f5028f44f11c61126e4d421f502f2e6bb0f83909d59
SHA1 hash: 7f61dd4a9f7b98d811238a2a7773fa4c18a086c1
MD5 hash: e935e578fc9c3f2eb8eb3cf3ae0e1d8e
humanhash: quebec-eleven-diet-delta
File name:c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6
Download: download sample
Signature Formbook
Create hunting rule
File size:628'736 bytes
First seen:2024-01-10 14:56:39 UTC
Last seen:2024-01-10 16:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ViWaKIjXq45YavjhJXhV31L3dUOo//P1x2UKwI6ckkmDfT:YWaKIhYavJhxNUOo/D2II60mrT
Threatray 99 similar samples on MalwareBazaar
TLSH T109D42357218CAF27C5F987FAC445859A02F3D63A0D11C24F2ECF25EA1B2AF0917266D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 3090d469baba0613 (1 x AgentTesla, 1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470216/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2621.18218.5346.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/659eb046fd5068bbc3ced397/reports/3bec947b-b9fe-41a1-b713-4c89342d356a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c05f7daf-3fe7-4ca1-b7f0-6114a377dd3c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1372465
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1372465 Sample: Ov9hNILtQw.exe Startdate: 10/01/2024 Architecture: WINDOWS Score: 100 32 www.byteblast.xyz 2->32 34 www.vida-mais-feliz.shop 2->34 36 18 other IPs or domains 2->36 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 4 other signatures 2->52 10 Ov9hNILtQw.exe 4 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 signatures5 62 Adds a directory exclusion to Windows Defender 10->62 64 Injects a PE file into a foreign processes 10->64 13 Ov9hNILtQw.exe 10->13         started        16 powershell.exe 23 10->16         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 18 RKMjuKKGTkS.exe 13->18 injected 20 WmiPrvSE.exe 16->20         started        22 conhost.exe 16->22         started        process8 process9 24 RpcPing.exe 13 18->24         started        signatures10 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 58 Writes to foreign memory regions 24->58 60 3 other signatures 24->60 27 RKMjuKKGTkS.exe 24->27 injected 30 firefox.exe 24->30         started        process11 dnsIp12 38 www.byteblast.xyz 162.0.236.122, 49746, 49747, 49748 NAMECHEAP-NETUS Canada 27->38 40 www.skairpewnym.icu 109.123.121.243, 49724, 49725, 49726 UK2NET-ASGB United Kingdom 27->40 42 12 other IPs or domains 27->42
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-29 04:37:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynijvltwanuq5v5jaly5tmjo63bktoqzbhn67rq5oq3saqn6oxda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4df92b37e76afd641f0fa0f6f71aa160a5642d9215528c7fee3eec613c8e386e
Formbook
6f3f99877f8716404854d6dbbb0f47ca698bf84e1968af3b84e79789e6500d6b
Formbook
71cabc7f66e840c073f576ee3051b7e4eb355bc28065a10eb06e5ec737d08221
Formbook
7a2b3db6ca1b0485e240d6da031f84da23ea0009e759404dbaa9eaeae6122721
Formbook
833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6
Formbook
9aac29406f293addac9d256bdbc8a2236fed92c82ea844d9b01dbc8a6704495a
Formbook
d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05
Formbook
e7aaec4e757952b19a3629e6b25ff54f5b2ecb55e0cd4898f2ba8c66cb859fca
Formbook
ed4ef6ea5bca41f50f9300b0c0527ff04a1bb54150202d6e357a92433bda46cf
Formbook
+ 89 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240110-sbk3aaade8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
49921bd9cc6365ff85bcc6b75ebb6ef59718199d450cc78fc67e10d0fb542339
MD5 hash:
edf6b81a8c2968e49453b73c88111c60
SHA1 hash:
a647165ad740f6239aecb7f3feaf77ad173512a0
Link:
https://www.unpac.me/results/82647331-d734-4e9f-bad1-52214beec8b6/
SH256 hash:
666cb98e340b5158ef5797bd5dad61f598b19969d42d14d7c5267301c2b7d532
MD5 hash:
575b66ee28fb3fe42c553cd514e9bfdf
SHA1 hash:
7dc4d72932dcda729fc69751bc4ce6c98a1adc7b
Link:
https://www.unpac.me/results/82647331-d734-4e9f-bad1-52214beec8b6/
SH256 hash:
84c73d6a29ddd770f8ac6e01e9f05cf814e182d7c41fc8a6978c6ba09360fa7a
MD5 hash:
c0ec8c4066f6901ff3655fe4f0345dd3
SHA1 hash:
c84a66c1bae5e2a03b10a12224179d1fb7273190
Link:
https://www.unpac.me/results/82647331-d734-4e9f-bad1-52214beec8b6/
SH256 hash:
e5c7adb6f34641712e29a8dbcd807ce182c10ddd37e60f5e0c323f44f457f5c0
MD5 hash:
d6feb00f8d246402bec034d46de3a31b
SHA1 hash:
7d61fda71d81443ee089412b28c854d5a25c0b1c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/82647331-d734-4e9f-bad1-52214beec8b6/
Parent samples :
f7e5bc980e9a7659ba8aedcb0e5ec208b13d807657ceaeb276db2f5ddeb0b2cf
36e763233ca3ff441f5ce71a59ec7b108f6329d27406b378758f6437a0f049c8
2139944dcc75ffd2ae23cf50fb751ebec4dffb7774764e8b4d48808f0925aedd
7b9502c277114c4c5cde1d0ce893041f2a880ce2808855ec74faf47485660d51
f554eee597d0262cd192e15ecfb61c71746ca2c0bc9948dc7703440e797f802e
e72ab72a888f6ef0627bb1ea5452a168792d1dc4037b74c34cc557eb5d2fe000
63fecafde6aed53ac007e7a69372eda93dfa06143552644ceee7f032886c1c58
c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6
33d4fd69c03968b472e3b5ec2fdf43db754aeed4366ae0111ac97fd394ef1e45
504e1940bd93e130262a7bd2b15fb622f178e2b533bfb5514ddc860ea164266d
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/82647331-d734-4e9f-bad1-52214beec8b6/
SH256 hash:
c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6
MD5 hash:
e935e578fc9c3f2eb8eb3cf3ae0e1d8e
SHA1 hash:
7f61dd4a9f7b98d811238a2a7773fa4c18a086c1
Link:
https://www.unpac.me/results/82647331-d734-4e9f-bad1-52214beec8b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3509aae7603690ed7a902f1d9b12ef6c2a9ba1909dbefc61d74372041be75c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/470216/

Comments